NATS JetStream has an authorization bypass through its Management API

GHSA-9983-vrx2-fg9c · BIT-nats-2026-33222 · CVE-2026-33222 · GO-2026-4832

Published Mar 24, 2026 · Modified Mar 27, 2026

Description

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

References

WEB https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33222
WEB https://advisories.nats.io/CVE/secnote-2026-12.txt
PACKAGE https://github.com/nats-io/nats-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes